Document 14250791

advertisement
IAF MD 18:2015
International Accreditation Forum, Inc.
IAF Mandatory Document
Application of ISO/IEC 17021:2011 in the
Service Management Sector
(ISO/IEC 20000-1)
Issue 1
(IAF MD 18:2015)
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 2 of 11
The International Accreditation Forum, Inc. (IAF) facilitates trade and supports
regulators by operating a worldwide mutual recognition arrangement among
Accreditation Bodies (ABs) in order that the results issued by Conformity Assessment
Bodies (CABs) accredited by IAF members are accepted globally.
Accreditation reduces risk for business and its customers by assuring that accredited
Conformity Assessment Bodies (CABs) are competent to carry out the work they
undertake within their scope of accreditation. Accreditation Bodies (ABs) that are
members of IAF and the CABs they accredit are required to comply with appropriate
international standards and the applicable IAF application documents for the consistent
application of those standards.
ABs that are signatories to the IAF Multilateral Recognition Arrangement (MLA) are
evaluated regularly by an appointed team of peers to provide confidence in the
operation of their accreditation programs. The structure and scope of the IAF MLA is
detailed in IAF PR 4 - Structure of IAF MLA and Endorsed Normative Documents.
The IAF MLA is structured in five levels: Level 1 specifies mandatory criteria that apply
to all ABs, ISO/IEC 17011. The combination of a Level 2 activity(ies) and the
corresponding Level 3 normative document(s) is called the main scope of the MLA, and
the combination of Level 4 (if applicable) and Level 5 relevant normative documents is
called a sub-scope of the MLA.

The main scope of the MLA includes activities e.g. product certification and
associated mandatory documents e.g. ISO/IEC 17065. The attestations made
by CABs at the main scope level are considered to be equally reliable.

The sub scope of the MLA includes conformity assessment requirements e.g.
ISO 9001 and scheme specific requirements, where applicable, e.g. ISO TS
22003. The attestations made by CABs at the sub scope level are considered
to be equivalent.
The IAF MLA delivers the confidence needed for market acceptance of conformity
assessment outcomes. An attestation issued, within the scope of the IAF MLA, by a
body that is accredited by an IAF MLA signatory AB can be recognized worldwide,
thereby facilitating international trade.
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 3 of 11
TABLE OF CONTENTS
1.
SCOPE .................................................................................................................. 5
2.
NORMATIVE REFERENCES ................................................................................ 5
3.
TERMS AND DEFINITIONS .................................................................................. 5
4.
PRINCIPLES ......................................................................................................... 5
5.
GENERAL REQUIREMENTS ............................................................................... 5
6.
STRUCTURAL REQUIREMENTS ........................................................................ 6
7.
RESOURCE REQUIREMENTS ............................................................................ 6
8.
INFORMATION REQUIREMENTS ....................................................................... 6
9.
PROCESS REQUIREMENTS ............................................................................... 7
10.
MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES .. 10
Annex A......................................................................................................................... 11
Issue No 1
Prepared by: IAF Technical Committee
Date: 21 August 2014
Approved by: IAF Members
Date: 07 October 2014
Issue Date: 08 January 2015
Application Date: 08 January 2015
Name for Enquiries: Elva Nilsen
IAF Corporate Secretary
Contact: Phone: +1 (613) 454 8159
Email: secretary@iaf.nu
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 4 of 11
Introduction to IAF Mandatory Documents
The term “should” is used in this document to indicate recognised means of meeting
the requirements of the standards. A Conformity Assessment Body (CAB) can meet
these in an equivalent way provided this can be demonstrated to an Accreditation
Body (AB). The term “shall” is used in this document to indicate those provisions
which, reflecting the requirements of the relevant standard, are mandatory.
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 5 of 11
Application of ISO/IEC 17021:2011 in the Service Management Sector
(ISO/IEC 20000-1)
This document is mandatory for the consistent application of ISO/IEC 17021. All clauses
of ISO/IEC 17021 continue to apply and this document does not supersede any of the
requirements in that standard.
1.
SCOPE
This mandatory document specifies requirements and provides guidance for bodies
providing audit and certification of an information technology service management
system (ITSMS, ISO/IEC 20000-1), in addition to the requirements contained within
ISO/IEC 17021. It is primarily intended to support the accreditation of bodies providing
ITSMS certification.
2.
NORMATIVE REFERENCES
ISO/IEC 20000-1:2011 Information Technology – Service Management – Part 1:
Service management systems requirements
ISO/IEC 17021:2011 Conformity assessment – Requirements for bodies providing audit
and certification of management systems
3.
TERMS AND DEFINITIONS
The terms and definitions from ISO/IEC 17021, Clause 3 and ISO/IEC 20000-1 apply.
4.
PRINCIPLES
The principles from ISO/IEC 17021, Clause 4 apply.
5.
GENERAL REQUIREMENTS
The requirements from ISO/IEC 17021, Clause 5 apply.
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
6.
Page 6 of 11
STRUCTURAL REQUIREMENTS
The requirements from ISO/IEC 17021, Clause 6 apply.
7.
RESOURCE REQUIREMENTS
The requirements from ISO/IEC 17021, Clauses 7.1 to 7.2.7 apply.
NOTE ISO/IEC 17021 Annex A: The following ITSMS-specific requirements and
guidance apply.
The requirements from ISO/IEC 17021, Clause 7.2.8 apply. In addition, the following
ITSMS-specific requirements and guidance apply.
The CB shall provide the opportunity of continuing professional development to its
certification personnel in order to maintain and improve their competence in ISO/IEC
20000 certification. In particular, the CB shall ensure the auditor’s knowledge in IT
service management practices and relevant regulatory requirements are maintained up
to date. Continual professional development may include, but is not limited to:
i.
additional work experience;
ii.
participating in training courses;
iii.
coaching;
iv.
private study; and
v.
participating in meetings, seminars or other relevant activities.
The requirements from ISO/IEC 17021, Clauses 7.2.9 to 7.5 apply.
8.
INFORMATION REQUIREMENTS
The requirements from ISO/IEC 17021, Clauses 8.1 to 8.4 apply.
8.5
Confidentiality
The requirements from ISO/IEC 17021, Clause 8.5 apply. In addition, the following
ITSMS-specific requirements and guidance apply.
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 7 of 11
Before the certification audit, the Certification Body shall ask the client organization to
report if any ITSMS records cannot be made available for review by the audit team
because they contain confidential or sensitive information and to provide the
corresponding justification. The Certification Body shall determine and record whether
the ITSMS can be adequately audited in the absence of this confidential information and
detail the corresponding rationale. If the Certification Body concludes that it is not
possible to adequately audit the ITSMS without reviewing the identified confidential or
sensitive records, it shall advise the client organization that the certification audit cannot
take place until appropriate access arrangements are granted.
Note: Alternatively an intermediary who has adequate competence and the required
level of clearance to view the confidential or sensitive information may be used to view
the records and confirm, or otherwise, the information requested. This intermediary shall
be accepted by both the CB and its client. However, such an intermediary should be
independent of the client organization.
The requirements from ISO/IEC 17021, Clause 8.6 apply.
9.
PROCESS REQUIREMENTS
9.1
General requirements
The requirements from ISO/IEC 17021, Clauses 9.1.1 and 9.1.3 apply
9.1.2 The requirements from ISO/IEC 17021, Clause 9.1.2 apply. In addition, the
following ITSMS-specific requirements and guidance apply.
The audit team shall audit the ITSMS of the client organization covered by the defined
scope against all applicable certification requirements. The Certification Body shall
ensure that the scope and boundaries of the ITSMS of the client organization are clearly
defined in terms of the characteristics of the business, the organization, its location,
assets and technology and considering ISO/IEC 20000-3. The Certification Body shall
confirm that the client organizations address the requirements stated in the scope of
their ITSMS.
9.1.4 The requirements from ISO/IEC 17021, Clause 9.1.4 apply. In addition, the
following ITSMS-specific requirements and guidance apply.
The time allocated shall consider the following ITSMS specific factors:
i.
the size of the ITSMS scope;
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 8 of 11
ii.
complexity of the ITSMS and complexity of the service(s) delivered by the
client organization;
iii.
the type(s) of business performed within scope of the ITSMS;
iv.
extent and diversity of technology utilized in the implementation of the
various components of the ITSMS;
v.
number of sites;
vi.
previously demonstrated performance of the ITSMS;
vii.
extent of SLAs and third party arrangements used within the scope of the
ITSMS;
viii. the standards and regulations which apply to the certification; and
ix.
the number of other parties, such as suppliers, internal groups or customers
acting as suppliers, involved in the provision of services.
9.1.5 The requirements from ISO/IEC 17021, Clause 9.1.5 apply. In addition, the
following ITSMS-specific requirements and guidance apply.
The requirements from IAF Mandatory document MD1 (certification of Multiple Sites
Based on Sampling), Clauses 0 to 5.2 apply. Where a multi-site organization operates
some dissimilar processes or activities at the different sites, or a combination of sites,
the Certification Body needs to justify and document the rationale for any sampling it
decides to implement during the certification of the management system. This shall
demonstrate how the same level of confidence in the conformity of the management
system across all the sites listed can be obtained. Attention also has to be paid to the
auditing of “virtual locations”, e.g. non-permanent sites, online sites, etc. where
sampling may or may not be appropriate.
The requirements from ISO/IEC 17021, Clauses 9.1.6 to 9.1.9 apply.
9.1.10
The requirements from ISO/IEC 17021, Clause 9.1.10 apply. In addition,
the following ITSMS-specific requirements and guidance apply.
The certification audit report shall provide the information on the client IT organization’s
identification, assessment and management of risks to the services.
The requirements from ISO/IEC 17021, Clauses 9.1.11 to 9.1.15 apply.
9.2
Initial audit and certification
The requirements from ISO/IEC 17021, Clauses 9.2.1 to 9.2.2 apply.
9.2.3 Initial certification audit
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
9.2.3.1
Page 9 of 11
Stage 1 audit
9.2.3.1.1
The requirements from ISO/IEC 17021, Clause 9.2.3.1.1 apply. In addition,
the following ITSMS-specific requirements and guidance apply.
In this stage of the audit, the Certification Body shall obtain documentation on the
design of the ITSMS covering the documentation required in Clause 4.3.1 of ISO/IEC
20000-1.
The objective of the stage 1 audit is to provide a focus for planning the stage 2 audit by
gaining an understanding of the ITSMS in the context of the client organization's ITSMS
policy and objectives, and, in particular, of the client organization's state of
preparedness for the audit.
The stage 1 audit includes, but should not be restricted to, the document review. The
Certification Body shall agree with the client organization when and where the
document review is conducted. In every case, the document review shall be completed
prior to the commencement of stage 2 audit.
The results of the stage 1 audit shall be documented in a written report. The
Certification Body shall review the stage 1 audit report for deciding on proceeding with
the stage 2 audit and for selecting stage 2 audit team members with the necessary
competence.
The Certification Body shall make the client organization aware of the further types of
information and records that may be required for detailed examination during the stage
2 audit.
The requirements from ISO/IEC 17021, Clauses 9.2.3.1.2 and 9.2.3.1.3 apply.
9.2.3.2
Stage 2 audit
The requirements from ISO/IEC 17021, Clause 9.2.3.2 apply. In addition, the following
ITSMS-specific requirements and guidance apply.
The audit shall focus on the client organization's:
i.
documentation requirements listed in Clause 4.3.1 of ISO/IEC 20000-1;
ii.
effectiveness of the controls implementing, monitoring, measuring and
reviewing service management objectives plans and processes;
iii.
internal ITSMS audits and management reviews; and
iv.
management responsibility for the policy.
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Issue 1
Page 10 of 11
The requirements from ISO/IEC 17021, Clauses 9.2.4 and 9.2.5 apply.
The requirements from ISO/IEC 17021, Clauses 9.3 to 9.9 apply.
10.
MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES
The requirements from ISO/IEC 17021, Clause 10 apply.
End of IAF Mandatory Document on the Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1).
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
IAD MD 18:2015
International Accreditation Forum, Inc.
Issue 1
Application of ISO/IEC 17021:2011 in the
Service Management Sector (ISO/IEC 20000-1)
Page 11 of 11
Annex A
(normative)
Required knowledge and skills
The requirements from ISO/IEC 17021, Annex A apply. The terms in ISO/IEC 17021
Annex A shall be read as follows.
“Knowledge of client business sector” shall include generic knowledge of information
technology and relevant regulatory requirements.
“Client products” means the services provided by client organization. “Client processes”
means the service management processes implemented by client organization.
“Specific management system standards” mean the ISO/IEC 20000 series. Auditors
shall have the understanding in interactions of service management processes
prescribed in ISO/IEC 20000 Part 1.
Further Information
For further Information on this document or other IAF documents, contact any member
of IAF or the IAF Secretariat.
For contact details of members of IAF see the IAF website: http://www.iaf.nu
Secretariat:
Elva Nilsen
IAF Corporate Secretary
Telephone: +1 (613) 454-8159
Email: secretary@iaf.nu
Issued: 08 January 2015
Application Date: 08 January 2015
© International Accreditation Forum, Inc. 2015
IAF MD 18:2015, Issue 1
Download